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In this paper, we present a formalization ol Kozen's propositional modal ^t-calculus, 
in the Calculus ol Inductive Constructions. We address several problematic issues, 
such as the use of higher- order abstract syntax in inductive sets in presence of re- 
cursive constructors, the encoding of modal ("proof") rules and of context sensitive 
grammars. The encoding can be used in the Coq system, providing an experimen- 
tal computer-aided proof environment for the interactive development of error-free 
proofs in the /^-calculus. The techniques we adopted can be readily ported to other 
languages and proof systems featuring similar problematic issues. 



Introduction 

In this paper, we present a formalization of Kozen's propositional modal fi- 
calculus E£l, often referred to as \xK, in the Coq proof assistant 

The /i-calculus is a temporal logic which subsumes many modal and tem- 
poral logics, such as PDL, CTL, CTL* , ECTL. Despite its expressive power, 
fiK enjoys nice properties such as decidability and the finite model property. 
The long-staiiding open problem of axiomatizability of \xK has been solved by 
Walukiewicz E3 ? , who has proved the completeness of Kozen's original system 
given in lli Therefore, the /x-calculus is an ideal candidate as a logic for the 
verification of processes. Nevertheless, like any formal systems, its applicabil- 
ity to non trivial cases is limited by long, difficult, error-prone proofs. 

This drawback can be (partially) overcome by supplying the user with a 
computer-aided proof environment, that is, a system in which he can represent 
(encode, formalize) the formal system, more or less abstractly: its syntax, 
axioms, rules and inference mechanisms. After having supplied the proof 
environment with a representation of the formal system, the user should be 
able to correctly manipulate (the representations of) the proofs. 

However, the implementation of a proof environment for a specific formal 
system is a complex, time-consuming, and daunting task. The environment 
should provide tools for checking previously hand-made proofs; developing 
interactively, step-by-step, error-free proofs from scratch; reusing previously 
proved properties; even, deriving properties automatically, when feasible, free- 
ing the user from most unpleasant and error-prone steps. 
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An alternative, and promising solution is to develop a general theory of 
logical systems, that is, a Logical Framework (LF). A Logical Framework is a 
metalogical formalism for the specification of both the syntactic and the de- 
ductive notions of a wide range of formal systems. Logical Frameworks always 
provide suitable means for representing and deal with, in the metalogical for- 
malism, the proofs and derivations of the object formal system. Much of the 
implementation effort can be expended once and for all; hence, the implemen- 
tation of a Logical Framework yields a logic-independent proof development 
environment. Such an environment must be able to check validity of deduc- 
tions in any formal system, after it has been provided by the specification of 
the system in the formalism of the Logical Framework. 

In recent years, several different frameworks have been proposed, imple- 
mented and applied to many formal systems. Type theories have emerged 
as leading candidates for Logical Frameworks. Simple typed A-calculus and 
minimal intuitionistic prepositional logic are connected by the well-known 
proposition- as-types paradigm Er ? _J3tronger type theories, such as the Edin- 
burgh Logical Framework (ELF) Du, the Calculus^pf Inductive Constructions 
(CIC) a and Martin-Lof's type theory (MLTT) E3, were especially designed, 
or can be fruitfully used, as a logical framework. In these frameworks, we 
can represent faithfully and uniformly all the relevant concepts of the infer- 
ence process in a logical system: syntactic categories, terms, assertions, axiom 
schemata, rule schemata, tactics, etc. via the judgements- as-types, proofs-as- 
XAerms paradigm 13. The key concept is that of hypothetico- general judgement 
113, which is rendered as a type of the dependent typed A-calculus of the Log- 
ical Framework. With this interpretation, a judgement is viewed as a type 
whose inhabitants correspond to proof of this judgement. 

It is worthwhile noticing that Logical Frameworks based-an type theory 
directly give rise to proof systems in Natural Deduction style ErllZI. This follows 
directly from the fact that the typing systems of the underlying A-calculi are 
in Natural Deduction style, and rules and proofs are faithfully represented 
by A-terms. As it is well-known, Natural Deduction style systems are more 
suited to the practical usage, since they allow for developing proofs the way 
mathematicians normally reason. 

These type theories-have been implemented in logic-independent systems 
such as Coq □, LEGO Eil, and ALF LL3. These systems can be readily turned 
into interactive proof development environments for a specific logic: we need 
only to provide the specification of the formal system (the signature), i.e. a 
declaration of typed constants corresponding to the syntactic categories, term 
constructors, judgements, and rule schemata of the logic. It is possible to 
prove, informally but rigorously, that a formal system is correctly, adequately 
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represented by its specification in the Logical Framework. This proof usually 
exhibit bijective maps between objects of the formal system (terms, formulas, 
proofs) and the corresponding A-terms of the encoding. 

In this paper, we investigate the applicability of this approach to the 
prepositional /i-calculus. Due to its expressive power, we adopt the Calcu- 
lus of Inductive Constructions, implemented in the system Coq. Beside its 
expressive power and importance in the theory and verification of processes, 
the /^-calculus is interesting also for its syntactic and proof theoretic pecu- 
liarities. These idiosyncrasies are mainly due to a) the negative arity of "/x" 
(i.e., the bound variable x ranges over the same syntactic class of (ix(p); b) 
context-sensitive grammar (the condition on the formation of fJ-xtp); c) rules 
with complex side conditions ("proof rules"). These anomalies escape the 
"standard" representation paradigm of Logical Frameworks; that is, there is 
no "standard" way to represent them in a Logical Framework. Hence, we will 
adopt new efficient representation techniques, which can be ported to other 
systems featuring the same anomalies. Moreover, since generated editors al- 
low the user to reason "under assumptions" , the designer of a proof editor for 
a given logic is urged to look for a Natural Deduction formulation which can 
take best advantage of the possibility of manipulating assumptions. 

Beside these practical and theoretical motivations, this work can give 
insights in the expressive power of CIC and Coq. Indeed, the encoding tech- 
niques we will adopt take full advantage of pragmatic features offered by Coq, 
such as the automatic simplification of terms, in order to simplify as much as 
possible the task of proof development. 

Structure of this paper. In Section |l|, we recall the language and the 
semantics of fiK . We will also introduce a semantical consequence relation, 
which will be the semantical counterpart of the proof system. The Natural 
Deduction style proof system N/xlf will be introduced in Section ^. In this 
section we will present also a proof system for capturing the well formedness 
condition on formula? of the form fj,x<p. In Section || we will discuss the 
formalization of \xK in CIC. We will see that fiK arises some peculiarities 
which are difficulty encoded in CIC; we will present some solutions. We will 
suppose the reader to be familiar with the CIC and the Coq system. 

Final comments and remarks are reported in Section |4|. Longer listings of 
Coq code are reported in appendix. 

1 Syntax, semantics and consequence relation 

The language of \iK is an extension of the syntax of propositional dynamic 
logic. Let Act be a set of actions (ranged over by a, 6, c), $o a set of atomic 
propositional letters (ranged over by p) , and Var a set of propositional vari- 
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ables (ranged over by x, y, z); then, the syntax of the /i-calculus on Act is: 

$ : tp ::= p | ff -up \ ip D ip [a] tp | x pxtp 

where the formation of px.tp is subject to the positivity condition: every oc- 
currence of x in tp has to appear inside an even number of negations (In the 
following we will spell out this condition more in detail). We call preformules 
the language obtained by dropping the positivity condition. The variable x 
is bound in \xx<p\ the usual conventions about a-equivalence apply. We write 
vxtp as a shorthand for -ifix(-i(p[->x/x]). 

The interpretation of /i-calculus comes from Modal Logic. A model for 
the /i-calculus is a transition system, that is, a pair A4 = (S, [-JjVf) where S is 
a (generic) nonempty set of (abstract) states, ranged over by s,t,r, and [-]]jVf 
is the interpretation of atomic prepositional and command symbols: for all 
p, a, we have \p\m C S and \o\m '■ S — > V(S). 

Formulae of /i-calculus may have free prepositional variables; therefore, we 
need to introduce environments, which are functions assigning sets of states 

to prepositional variables: Env d = Var — > V(S). Given a model A4 = (S, [•]) 
and an environment p, the semantics of a formula is the set of states in which 
it holds, and it is defined by extending \-\ compositionally, as follows: 



Mmp = W 
WImp = 

\x\ M p = p(x) 

[-«p}mp = s\i<p} M p 



p d4>Imp = (s\Mmp)uMmp 

{[a] p>\ M p = f {s G S | Vr e {ajs : r £ Mmp} 
lfix<p} M p = f]{T C S | M^/o[x h T] C T) 



It is customary to view a formula tp with a free variable x as defining a 
function tp? : P(5) -> V{S), such that for all U C S: <p£(U) = Mmp[x ^ U}. 
The intuitive interpretation of fixip is then the Zeasi fixed point of 95^. The 
condition on the formation of fxxtp ensures the existence of the lfp: 
Proposition 1 Let tp a formula and x a variable occurring only positively in 
p. Then, in every environment p, (p p x has both the least and the greatest fixed 
point. In particular, the lfp of tp? is ^/ixpjp. 

Proof. (Sketch) It is easy to show, by induction on the syntax of tp, that tp? 
is monotone; the result follows from Knaster-Tarski's theorem. □ 
Notice that this result does not hold if we drop the condition on the formation 
of pxtp: for instance, the formula ->x identifies the function (—ix)%.(T) — S\T, 
which is not monotone and has no lfp. 

In order to have a semantical counterpart of the syntactic notion of "de- 
duction" , we introduce a consequence relation for the /Lt-calculus, which is an 
extension of the finitary truth CR's of propositional dynamic logic Ej. 
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Figure 1. ND-style systems for classical logic, modal logic and propositional /^-calculus 

Definition 1 (Consequence Relations for jj,K) Let M. be a model for 
fiK and [-J^vi be the interpretation in M. The (truth) consequence re- 
lation for \iK wrt M. is a relation \=m^= ^P(^) x ^ defined as follows: 

r \= M v> -^=> ^p-W\mp Q Mmp- 

TTie (absolute) truth CR for fj,K is: T \= tp <^=> VVW.r \=m f- 

The finitary truth consequence relations is the restriction of \= to finite 

sets: r \=ftp 3A C r, finite. A \= ip. 

In the following, for sake of simplicity, we will drop the /, denoting by |= 

the finitary CR \=f. 

2 A Natural Deduction style system for fiK 

Usually, systems for /x-calculus are given in Hilbert style Here we 

present a Natural Deduction style system for fiK , namely NfiK. This system 
is composed by a system for classical propositional logic (NC) , extended with 
two rules for the minimal modal logic (JSSK) and the two the new two rules 
(introduction and elimination) for the new constructor /i, as presented in 
Figure |l|. These rules are presented in a sequent (Gentzen-like) fashion; this 
allow us to spell out clearly the side conditions on hypotheses in the ^i-E and 
[•]-I rules. Of course, all these rules can be written also in the more customary 
Natural Deduction style, like the following: 

[<p[il>/x]] 



fi-E 



[IX. tp 



ip does not depend on 
any other hypothesis 
beside ip[ip/x] 



1 j f tp does not depend 
[a]<p on an y hypothesis 
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PosinNeg 
PosinBox 
PosinMu 



p e $o 

posin(x,p) 
y € Var 
posin(x, y) 

negvn(x,tp) posin(x,ijj) 



posin(x, tp D ip) 
negm(x, tp) 



posin(x, -^tp) 
posin(x, <p) 



posin{x, [a] cp) 
for z 7^ x : posin(x, ip[z/y\) 
posin(x, fJ,y<p) 



NeginP 



NeginY 



NeginImp 



NeginNeg 



p e $0 
negin(x,p) 

negin(x, y) 
posin(x,ip) negin(x,ip) 



negin(x, ip D ip) 
posin(x, tp) 



NeginBox 



NeginMu 



negvn(x, ->tp) 
negin(x, ip) 



negin(x, [a] tp) 
for 2/1: negm(x, ip[z/y]) 
negin{x, ptytp) 



Figure 2. The positivity proof system. 



Notice that the side conditions of these two rules are very the same: in fact, 
/i-E can be stated as rl ~ M:r ' y _fa#/gl2Vl ; here, the left subderivation has to 
depend on no assumptions, like to the necessitation rule [-]-I of modal logic. 

The rules for \i have a direct semantic interpretation: the introduction 
rule states that (the meaning of) /ixif is a prefixed point of tpfj.; the elimination 
rule states that (the meaning of) fixip implies, and then "is less than" , any 
prefixed point of tp?. Therefore, these rules state that (the meaning of) fixip 
is the minimum prefixed point, i.e. the least fixed point, of (p(j,. 

The resulting system is then sound and complete with respect to the 
(fmitary) truth consequence relation: 

Theorem 2 For T finite set of formula?, ip. formula: T h tp T \= tp. 

Proof. (Sketch) Soundness is proved by showing that each rule is sound. 

Completeness can be proved as follows. Since Y is r finite, Y \= tp <^=> |= 

f\Y D tp. By completeness of Kozen's axiomatizationEfp, there is an Hilbert- 

style derivation of /\ Y D tp. Therefore, it-is sufficient to prove that Kozen's 

axioms and rules (e.g. those presented in 111) are deriyable in NfiK. □ 
Since we aim to encode the /i-calculus in some logical framework, we need 

to enforce the context-sensitive condition on the formation of formulas of the 

form \ixtp. That is, we ought to specify in detail the condition of "occurring 

positive in a formula" for a variable. This notion can be represented by two 

new judgements on formulae and variables, posin and negin, which are derived 

by means of the rules in Figure ^. Roughly, posin(x, tp) holds iff all occurrences 

of x in tp are positively; dually, negin(x, tp) holds iff all occurrences of x in 

tp are negative. Notice that if x does not occur in tp, then it occurs both 

positively and negatively. 
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Let us formalize better the meaning of these auxiliary judgements. The 
notions they capture are the following: 

Definition 2 (Monotonicity and Antimonotonicity) Let (p be a for- 
mula and x a variable. We say that ip is monotone on x (written Mon x {ip)) 
iff VM,Vp,VU,V C S: U C V => ip x {U) C <p p x {V). We say that 
tp is antimonotone on x (written AntiMon x (p)) iff Vp, VJ7, y C S: 
UCV^ipP(U)Df x (V). . 
These notions refer directly to the semantic structures in which formulae take 
meaning. The following result proves that the syntactic condition of posi- 
tivity (respectively, negativity) captures correctly the semantic condition of 
monotonicity (respectively, antimonotonicity). 

Proposition 3 For all <p £ <!>, x £ Var: h posin(x,tp) =$> Mon x (ip) and 
h negin(x, tp) AntiMon x (tp). 

Proof. By simultaneous induction on the syntax of ip. □ 
Notice that the converse of Proposition [| does not hold. Consider e.g. 

tp d = (x D x): clearly, \<pYm ~ & a l wa y s i an< i hence (x D x)g is both 
monotone and antimonotone. However, x does not occur only positively nor 
only negatively in ip. Correspondingly, we cannot derive h posin(x, (x D x)) 
nor h negin(x, (x D x)). This result can be generalized in the following 
limitation property: 

Proposition 4 If x £ FV(<^) occurs both positively and negatively in ip then 
neither posin(x, r t/j) nor negin(x,ijj) are derivable. 

Proof. (Sketch) By induction on the syntax of ip. □ 
However, we can restrict ourselves to only positive formulas w.l.o.g.: by Lyn- 
don Theorem every monotone formula is equivalent to a positive one. 

3 The encoding of /i-calculus 

In this section we present the encoding of the /Lt-calculus in the Calculus 
of Inductive Constructions. We will present both the formalization of the 
language and of the proof system N/iif given in Section ||. 

3.1 Encoding the language 

The encoding of the language of ^-calculus is quite elaborate. The customary 
approach, is to define an inductive type, o:Set, whose constructors corre- 
spond to those of the language of fiK. In order to take full advantage of 
a-conversion and substitution machinery provided by the metalanguage, we 
adopt the higher order abstract syntax au. In this approach, binding construc- 
tors (like /«) are rendered by higher-order term constructors; that is, they take 
a, function. The naive representation of //, therefore, would be mu: (o->o)->o; 
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however, this solution does not work inside an inductive definition of CIC, 
because it leads to a non-well-founded definition Qua. 

The second problem is the presence of a context-sensitive condition on the 
applicability of fi: in order to construct a formula of the form fixip, we have 
to make sure that x occurs positively in ip. Inductive types do not .support 
this kind of restriction, since they define only context-free languages lla. 

In order to overcome the first problems, we adopt the bookkeeping via 
Leibniz equality technique EJ. We introduce a separate type, var, for the 
identifiers. The role played by variables is that of "placeholders" for formulas: 
they can be replaced by formulae in the application of fi-I and /x-E rules. 
However, we do n ot introduce any substitution predicate: instead, as we will 
see in Section ^2, we will inherit the substitution machinery directly from the 
metalanguage, i.e., the typed A-calculus of CIC. 

There are no constructors for type var: we only assume that there are 
infinitely many variables. 
Parameter var : Set . 

Axiom var_nat : (Ex [srj : var->nat] (n:nat) (Ex [x:var](srj x)=n)). 

Then, we define the set of prcformulac of /i-calculus, also those not well formed: 
Parameter Act : Set. 



Inductive o : Set := p 
I Imp 
I Box 
I Var 



o I ff : o I Not : o -> o 
o -> o -> o 
Act -> o -> o 
var -> o 
(var->o) -> o. 

Notice that, the argument of mu is a function of type var->o. In general, this 
may arise exotic terms, i.e. terms which do not correspond to any preformula 
of the /i-calculus Dt3. In our case, this, is avoided since var is not declared as 
an inductive set (see Section 11.2 of EJ for further details). 

Now, we have to rule out all the non-well-formed formulae. At the mo- 
ment, the only way for enforcing in CIC context-sensitive conditions over 
languages is to define a subtype by means of E- types. As a first step, we for- 
malize the system for positivity/negativity presented in Figure ^, introducing 
two judgements posin, negin of type var->o->Prop. A careful analysis of 
the proof system (Figure ||) points out that the derivation of these judgements 
is completely syntax driven. It is therefore natural to define these judgements 
as recursively defined functions, instead of inductively defined propositions. 
This is indeed possible, but the rules for the binding operators introduce an 
implicit quantification over the set of variables different from the one we are 
looking for. This quantification is rendered by assuming a locally new variable 
(y) and that it is different from the variable x (see last cases): 
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Fixpoint posin [x:var;A:o] : Prop := 
<Prop>Case A of True 
True 

[B : o] (negin x B) 

[Al,A2:o] (negin x Al)/\(posin x A2) 
[a:Act] [Al:o] (posin x Al) 
[y : var] True 

[F:var->o] (y:var)~(x=y) -> (posin x (F y) ) 

end 

with negin [x:var;A:o] : Prop := 
<Prop>Case A of True 
True 

[B : o] (posin x B) 

[Al,A2:o] (posin x Al)/\(negin x A2) 
[a: Act] [Al:o] (negin x Al) 
[y:var] ~(x=y) 

[F:var->o] (y:var)~(x=y) -> (negin x (F y) ) 

end. 

Therefore, in general a goal (posin x A) can be Simplified (i.e., by applying 
the Simpl tactic, in Coq) to a conjunction of only three forms of propositions: 
True, negations of equalities or implications from negations of equalities to 
another conjunction of the same form. These three forms are dealt with 
simply in the Coq environment, hence proving this kind of goals is a simple 
and straightforward task. 

Then, we can define when a preformula is well formed; namely, when 
every application of \x satisfies the positivity condition: 
Fixpoint iswf [A:o] : Prop := 

<Prop>Case A of True 
True 

[Al:o] (iswf Al) 

[Al:o] [A2:o](iswf ADA (iswf A2) 
[a: Act] [Al:o] (iswf Al) 
[x : var] True 
[F:var->o] (x:var) 

((notin x (mu F))-> (posin x (Fx))) 

A (iswf (F x)) 

end. 

Hence, each formula of the /x-calculus is represented by a pair preformula-proof 
of its well-formedness: 

Record wfo : Set := mkwfo { prp : o; end : (iswf prp) >. 
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In order to estabilish that our encoding is faithful, we introduce the 

following notation: for X — {xi,...,x n } C Var, let <f>x = {<p 

W(y) C X}, Tx d = Xi : var, . . . ,x n : var; moreover, let ox = {t | Tx \~ 

t : o, t canonical} and wfo^ = {t G ox 3d.Tx F d : (iswf t)}. We can 
then define the encoding functions ex ■ &x — * °x, as follows: 



ex{ff) 


= f f 


£ X {f 3 VO = 


(Imp e x ((f) £x(V>P 


ex(x) 


= X 


Ex(nxtp) = 


(mu [x: var]ex,s(v5)) 




= (Not £ X ((f)) 


£x([a]<p) = 


(Box a £x(¥>)) 



The faithfulness of our encoding is therefore stated in the following theorem: 

Theorem 5 For X C Var finite, the map ex is a compositional bisection 
between $x and wf ox- 

Proof. (Sketch) Long but not difficult inductions. First, we prove that posin, 
negin adequately represent the positivity/negativity proof system. Due to its 
structure, it is easy to prove that the type (posin x A) is inhabited by at 
most one canonical form (that is to say, there is at most one way for proving 
that a preformula is well- formed). Therefore, a preformula tp is a formula 
iff each application of [i is valid, iff for each application of /i there exists a 
(unique) witness of posin, iff there exists an inhabitant of (iswf ex (v))- n 

3.2 Encoding the proof system N/iif 

In the encoding paradigm of Logical Frameworks, a proof system is usually 
represented by introducing a proving judgement over the set of formulae, like 
T:o -> Prop. A type (T phi) should be intended, therefore, as "tp is true"; 
any term which inhabits (T phi) is a witness (a proof) that tp is true. Each 
rule is then represented by a type constructor of T. A complete discussion of 
this paradigm, with an example of encoding of NC, can be found in Era. 

However, in representing the proof system TSSfiK, two difficult issues arise: 
the encoding of proof rules, like [-]-I and ^-E, and the substitution of formulas 
for variables in rule /z-E. These issues escape the standard encoding paradigm, 
so we have to accommodate some special technique. 

Actually, in the underlying theory of CIC there is no direct way for enforc- 
ing on a premise the condition that it is a theorem (i.e. that it depends on no 
assumptions) or, more generally, that a formula depends only on a given set 
of assumptions. The solution we adopt exploits again the possibility provided 
by Logical Frameworks of considering locally quantified premises, i.e. general 
judgements in the terminology of Martin-L6f; see for a detailed description. 

The basic proving judgement is T :U->o->Prop, where U a set with no 
constructors. Elements of U will be called worlds for suggestive reasons. Each 
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"pure" rule (i.e., with no side condition), is parameterized over a generic 
world, like the following (see Appendix |A.2| for the complete listing): 
Axiom Imp_E : (w:U) (A,B:o) (T w (Imp A B)) -> (T w A) -> (T w B) . 
Therefore, in a given world all the classical rules apply as usual. It should 
be noticed, however, that we require a locally introduced formula to be well 
formed. This is the case of D-I: 
Axiom Imp_I : (w:U) (A,B:o) (iswf A) -> 

((T w A) -> (T w B)) -> (T w (Imp A B)). 
Indeed, it can be shown that if we allow for non-well formed formulae in these 
"negative positions" , we get easily an inconsistent derivation. 

Proof rules, on the other hand, are distinguished by local quantifications 
of the world parameter, in order to make explicit the dependency between a 
conclusion and its premises. The [-]T rule is represented as follows: 
Axiom Box_I: (w:U) (A:o) (a: Act) ((w' :U) (T w' A))->(T w (Box a A)). 
The idea behind the use of the extra parameter is that in making an assump- 
tion, we are forced to assume the existence of a world, say w, and to instantiate 
the judgement T also on w. This judgement then appears as an hypothesis on 
w. Hence, deriving as premise a judgement, which is universally quantified 
with respect to W, amounts to establishing the judgement for a generic world 
on which no assumptions are made, i.e. on no assumptions. 

This idea can be suitably generalized to take care of a fixed number of 
assumptions, like in rule /it-E; here, the dependency between conclusion and 
assumption is made evident: 

Axiom mu_E : (A:o) (w:U) (F:var->o) (iswf A) -> 

( (z : var) (notin z (mu F)) -> (Var z)=A -> 

(w':U)(T w' (F z)) -> (T w' A)) 
-> (T w (mu F)) -> (T w A) . 

This is the most complex rule of the whole system: besides the world param- 
eter technique, it leads us to the second problematic issue of N^if , namely 
the substitution of formulae for variables, by means of Leibniz equality =. A 
similar, but simpler situation, arises in the encoding of /x-I: 
Axiom mu_I : (A:o) (w:U) (F:var->o) 

( (z : var) (notin z (mu F)) -> (Var z)=(mu F) 
-> (T w (F z))) 

-> (T w (mu F)) . 

The idea is to do not perform substitution immediately; instead it is delayed, 
until it is actually needed. The binding between the substituted variable z 
and the formula (mu F) is kept in the derivation environment by the hypoth- 
esis (Var z) = (mu F). Moreover, this hypothesis can be used by the Rewrite 
tactic of Coq, for replacing automatically the variable. Therefore, we do not 
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need to implement any explicit mechanism for substitution: it is directly in- 
herited from the /3-reduction of the underlying A-calculus. For an example of 
application, see Section |A.3| . 

We need also to locally assume the fact that z does not appear in the 
formula, i.e. it is fresh. This is achieved by the hypothesis (not in z (mu 
F) ) . The judgement notin (and the dual isin, see Section |A.1| ) are auxiliary 
judgements for occur-checking. Roughly, (notin x A) holds iff x does not 
occur free in A; dually for isin. They may be needed in the rest of derivation 
for inferring well-formness of discharged formulae in rules Raa, D-I, -i-I. 

The formalization of TSifiK we have presented is adequate, that is, we can 
derive a property in the system TS![iK iff we can inhabit the corresponding 
type in our encoding. This is stated precisely by the following result: 
Theorem 6 For X C Var finite, for ipx, . . . , ip n , cp G fi, ■ ■ ■ , I~n^_r" 
tp iff3t.Tx,w : U, ai : (T w ex(fi)), . . . , a n : (T w ExifPn)) h t : (T w ex(tp)) 
Proof. (=£-) by induction on derivation; (<=) by induction on t. □ 

4 Conclusions 

In this paper we have presented an original encoding of the /i-calculus in 
type-theory based logical frameworks. We have addressed several problematic 
issues. First, the extensive and wise use of the higher order abstract syntax 
frees us from a tedious encoding of the mechanisms involved in the handling 
of bound names because they are automatically inherited from the metalevel. 
Secondly, we have faithfully represented the (context-sensitive) language of 
/i-calculus by formalizing the notion of "well formed formula" . Thirdly, the 
modal nature of the rules of /x-calculus has been rendered, although Logical 
Frameworks do not support directly modal rules. 

The techniques we have adopted can be readily ported to other formalisms 
featuring similar problematic issues, such as the A-calculus, higher-order pro- 
cess calculi, languages defined by context-sensitive grammars, modal logics. . . 

Moreover, our experience confirmed also in dealing with the /i-calculus, is 
that Logical Frameworks allow to encode faithfully the formal systems under 
consideration, without imposing on the user of the proof editor the burden of 
cumbersome encodings. However, nowadays proof editors and Logical Frame- 
works are still under development; hence, they will benefit from extensive case 
studies and applications, like the one presented here, which can enlighten weak 
points and suggest further improvements. 

Finally, the encoding presented in this paper could be used as the kernel 
for a user friendly computer-aided proof environment, in which the user can 
carry out interactively formal verifications based on the /i-calculus. 
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Appendix 



A Coq code 

A. 1 Code of the encoding of the syntax 

(* Sets for actions, variables *) 

Parameter Act, var : Set. 

(* var is at least enumerable *) 

Axiom var_nat : (Ex [srj : var->nat] (n:nat) (Ex [x:var](srj x)=n)). 
Lemma neverempty : (x: var) (Ex [y : var] ~ (x=y) ) . 
(* proof omitted *) 

(* the set of preformulae, also not well formed *) 
Inductive o : Set := p : o 

I ff : o 

I Not : o -> o 



I Imp 
I Box 
I Var 
I mu 



Act -> o -> o 



var -> o 
(var->o) -> o. 



o 



-> o -. 



> o 



Fixpoint isin [x:var;A:o] 
<Prop>Case A of False 
False 



Prop : = 



[B:o] (isin x B) 

[Al,A2:o] (isin x Al)\/(isin x A2) 
[a: Act] [B:o] (isin x B) 
[y : var] x=y 

[F: var->o] (y: var) (isin x (F y)) 



end. 

Fixpoint notin [x:var;A:o] : Prop := 
<Prop>Case A of True 



True 

[B:o] (notin x B) 

[Al,A2:o] (notin x ADA (notin x A2) 
[a:Act] [B:o] (notin x B) 
[y : var] " (x=y) 

[F : var->o] (y : var) ~ (x=y) -> (notin x (F y)) 



end. 



Fixpoint posin [x:var;A:o] : Prop := 
<Prop>Case A of True 
True 

[B:o] (negin x B) 
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[Al,A2:o] (negin x Al)/\(posin x A2) 
[a:Act] [Al:o](posin x Al) 
[y : var] True 

[F:var- >o] (y : var) ~ (x=y) -> (posin x (F y)) 

end 

with negin [x:var;A:o] : Prop := 
<Prop>Case A of True 
True 

[B : o] (posin x B) 

[Al,A2:o] (posin x Al)/\(negin x A2) 
[a:Act] [Al:o] (negin x Al) 
[y : var] " (x=y) 

[F:var->o] (y : var) ~ (x=y) -> (negin x (F y) ) 

end. 

Fixpoint iswf [A:o] : Prop := 
<Prop>Case A of True 
True 

[Al:o] (iswf Al) 

[Al:o] [A2:o](iswf Al)/\(iswf A2) 

[a:Act] [Al:o] (iswf Al) 

[x : var] True 

[F : var->o] (x : var) 

((notin x (mu F) ) -> (posin x (F x))) 

A(iswf (F x)) 

end. 

(* the set of well formed formulae *) 

Record wfo : Set := mkwfo { prp : o; end : (iswf prp) }. 

(* separation: if x does not apper in A and y do, then x and y are 

* not the same identifiers - proof omitted *) 

Lemma separation : (x,y : var) (A:o) (notin x A) -> (isin y A) -> ~(x=y). 

(* an identifier which does not occur, 

* occurs both positively and negatively - proof omitted *) 
Lemma notin_posin_negin : 

(x: var) (A: o) (notin x A) -> (posin x A) /\ (negin x A). 

A. 2 Code of the encoding of the proof system 

(* the universe, for the world technique *) 
Parameter U : Set . 

(* the proving judgement *) 
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Parameter T : U -> o -> Prop. 

Section Proof _Rules. 
Variable A,B: o. 
Variable w : U. 

(* proof rules operate also on non-well formed formulae, but for 
ensuring the soundness of the system, we need to require 
well-f ormness of every discharged formula *) 



Axiom ff_I 
Axiom Not_I 
Axiom RAA 



(T w A) -> (T w (Not A)) -> (T w ff ) . 

(iswf A) -> ((T w A) -> (T w ff)) -> (T w (Not A)). 

(iswf A) -> ((T w (Not A)) -> (T w ff)) -> (T w A) . 



Axiom Imp_I : (iswf A) -> ((T w A) -> (T w B)) -> (T w (Imp A B)). 
Axiom Imp_E : (T w (Imp A B) ) -> (T w A) -> (T w B) . 

Axiom Box_I : (a:Act) ((w':U)(T w> A)) -> (T w (Box a A)). 
Axiom K : (a: Act) (T w (Box a (Imp A B))) 

-> (T w (Box a A)) -> (T w (Box a B)). 

Axiom mu_I : (F:var->o) 

((z:var) (notin z (mu F)) -> (Var z)=(mu F) -> (T w (F z))) 
-> (T w (mu F) ) . 
Axiom mu_E : (F: var->o) (iswf A) -> 

( (z : var) (notin z (mu F)) -> (Var z)=A -> 

(w> :U) (T w> (F z)) -> (T w> A)) 
-> (T w (mu F)) -> (T w A) . 
End Proof _Rules . 

Lemma ff_E : (A:o)(iswf A) -> (w:U)(T w ff) -> (T w A) . 

Intros; Apply RAA; Intros; Assumption. 

Qed. 

A. 3 An example session in Coq 

We will show a complete Coq session, in which we prove that A D ux(A D x) h 

ux(A D x). Commands entered by the user are written in this font. 

miculan@maxi : ~> coqtop 

Welcome to Coq V6.2 (May 1998) 

Coq < Require mu. 

[Reinterning mu . . .done] 

Let to be a world and A a formula: 

Coq < Variable w:U. Variable A:o. 

w is assumed 
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A is assumed 

We claim the lemma we intend to prove; this leads us in "proof mode" : 
Coq < Lemma simple : (T w (Imp A (mu fx : var ] (Imp A (Var x))))) -> 
(T w (mu [x: var] (Imp A (Var x)))). 

1 subgoal 



(T w (Imp A (mu [x:var](Imp A (Var x))))) 
->(T w (mu [x: var] (Imp A (Var x)))) 

simple < Intros. 
1 subgoal 

H : (T w (Imp A (mu [x:var](Imp A (Var x))))) 



(T w (mu [x:var](Imp A (Var x)))) 

simple < Apply mu_I; Intros. 
1 subgoal 

H : (T w (Imp A (mu [x:var](Imp A (Var x))))) 
z : var 

HO : (notin z (mu [x:var](Imp A (Var x)))) 
HI : (Var z) = (mu [x:var](Imp A (Var x))) 



(T w (Imp A (Var z))) 
Now, we need to replace z by the corresponding formula, in order to conclude: 
simple < Rewrite HI. 
1 subgoal 

H : (T w (Imp A (mu [x:var](Imp A (Var x))))) 
z : var 

HO : (notin z (mu [x:var](Imp A (Var x)))) 
HI : (Var z) = (mu [x:var](Imp A (Var x))) 



(T w (Imp A (mu [x:var](Imp A (Var x) ) ) ) ) 

simple < Apply H. 
Subtree proved! 

simple < Qed. 

(Intros; Apply mu_I ; Intros) . 
Rewrite HI. 
Apply H. 

simple is defined 
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